This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Question about XQL to make a BIOC

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Question about XQL to make a BIOC

EnriqueSanz
L1 Bithead

‎10-13-2023 02:22 AM

Hello,

 

I'm trying to make a BIOC to inform when a SSH conection is made in some critical assets, but I'm not able to do it in XQL, I have done it using the interface.

 

Network Connections AND Destination [ Remote port = 22 ] AND Host [ Host Name = <name> ]

 

The link to the XQL documentation is broken and I'm not able to find how to do it. I prefere to make it in XQL due to I want to make some exclusions and in the interface builder I can only make one exclusion...

 

Can you please help me?

 

Best regards

0 Likes Likes
4 REPLIES 4

nsinghvirk
L4 Transporter

‎10-16-2023 05:50 AM

Hello @EnriqueSanz ,

 

Thanks for reaching out on LiveCommunity!

Please take reference from below XQL query to create your BIOC rule. This query simply detect remote port 22 on a particular host. 

dataset = xdr_data
| filter event_type = NETWORK and action_remote_port = 22 and agent_hostname = "<hostname>"

 

You can add your use case requirements to it.

Below are the links to XQL and BIOC guides.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Get-Started-...

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Working-wit...

 

Please let us know which documentation links are broken so that we can repair them or provide you updated ones.

0 Likes Likes

EnriqueSanz
L1 Bithead

‎10-16-2023 06:54 AM

 

Hi @nsinghvirk,

 

First of all, thanks for the reply!

 

The URL that is broken is the first one that I get when I search "xql search" on Google, https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/...

 

On the other hand, I don't get any result when I use the suggested querie using the same asset that the interface search gives me 7 results... I don't know if the problem is in the configuration...

0 Likes Likes

nsinghvirk
L4 Transporter
In response to EnriqueSanz

‎10-16-2023 09:29 AM - edited ‎10-16-2023 09:30 AM

Hello @EnriqueSanz ,

 

For better search, please bookmark below link for XDR admin guide and in future search within it for your queries.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Overview

 

Regarding the query, please ensure that you are using same time period in your XQL query and in the interface.

0 Likes Likes

EnriqueSanz
L1 Bithead

‎10-17-2023 03:56 AM

Hello!

 

Yes, I'm using the same period... It's weird...

 

 

0 Likes Likes
  • 1093 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks